Date: Thu, 9 Aug 2018 23:55:58 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: "David P. Discher" <dpd@dpdtech.com>, John-Mark Gurney <jmg@funkthat.com> Cc: freebsd-net@freebsd.org Subject: Re: Is if_ipsec/ipsec - AESNI accelerated ? Message-ID: <17acb9c4-f775-04be-4903-3d022a2fa1ac@yandex.ru> In-Reply-To: <BE275E67-A768-47E9-97D4-0A5E4FDC44EF@dpdtech.com> References: <D47976AF-A0AF-4A58-B80E-31E9DED96D26@dpdtech.com> <dc8bea35-1770-48d0-3662-c58e72bd3d2d@yandex.ru> <62E0C365-AD64-4383-8BA4-298AA0E292F4@dpdtech.com> <e9da62df-90e4-e45b-b073-c4c39555b38d@yandex.ru> <BE275E67-A768-47E9-97D4-0A5E4FDC44EF@dpdtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --zln6R5tn9PAmv0CNAgnxzngy6q6jcr0Eh Content-Type: multipart/mixed; boundary="5VmtHrHwXrkiqAoP7P7tj8lAdtIJfEVzy"; protected-headers="v1" From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: "David P. Discher" <dpd@dpdtech.com>, John-Mark Gurney <jmg@funkthat.com> Cc: freebsd-net@freebsd.org Message-ID: <17acb9c4-f775-04be-4903-3d022a2fa1ac@yandex.ru> Subject: Re: Is if_ipsec/ipsec - AESNI accelerated ? References: <D47976AF-A0AF-4A58-B80E-31E9DED96D26@dpdtech.com> <dc8bea35-1770-48d0-3662-c58e72bd3d2d@yandex.ru> <62E0C365-AD64-4383-8BA4-298AA0E292F4@dpdtech.com> <e9da62df-90e4-e45b-b073-c4c39555b38d@yandex.ru> <BE275E67-A768-47E9-97D4-0A5E4FDC44EF@dpdtech.com> In-Reply-To: <BE275E67-A768-47E9-97D4-0A5E4FDC44EF@dpdtech.com> --5VmtHrHwXrkiqAoP7P7tj8lAdtIJfEVzy Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 09.08.2018 23:11, David P. Discher wrote: > The documentation for using IPSec (especially if_ipsec) is really thin > for freebsd, so I pieced some of this together from various posts and > mailing lists threads. > =C2=A0 > Is there no need for racoon ? =C2=A0How in this example is the=C2=A0IKE= /ISAKMP > setup done ? Is setkey doing this ? > This is 11.2-stable, shortly after release =E2=80=A6 I don=E2=80=99t ha= ve this sysctl. This is manually configured tunnel between two FreeBSD 12.0-CURRENT hosts. I can suggest to try patch and config from this post: https://lists.freebsd.org/pipermail/freebsd-net/2018-May/050509.html >> Need to see your setkey.conf, or at least the output of setkey -D.. >=20 >=20 > setkey.conf is : >=20 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 flush; > =C2=A0 =C2=A0 =C2=A0 =C2=A0 spdflush; >=20 > =C2=A0 =C2=A0 =C2=A0 =C2=A0 spdadd -4n 172.30.1.12/30 172.30.1.12/30 an= y -P out ipsec > esp/tunnel/10.245.0.201-10.245.0.202/unique:12; > =C2=A0 =C2=A0 =C2=A0 =C2=A0 spdadd -4n 172.30.1.12/30 172.30.1.12/30 an= y -P in =C2=A0ipsec > esp/tunnel/10.245.0.202-10.245.0.201/unique:12; > =C2=A0 =C2=A0 =C2=A0 =C2=A0 spdadd -4n 172.30.1.4/30 172.30.1.4/30 any = -P out ipsec > esp/tunnel/10.245.0.201-10.245.0.203/unique:4; > =C2=A0 =C2=A0 =C2=A0 =C2=A0 spdadd -4n 172.30.1.4/30 172.30.1.4/30 any = -P in =C2=A0ipsec > esp/tunnel/10.245.0.203-10.245.0.201/unique:4; You don't need to create security policies for if_ipsec interfaces. They are created by interface automatically. --=20 WBR, Andrey V. Elsukov --5VmtHrHwXrkiqAoP7P7tj8lAdtIJfEVzy-- --zln6R5tn9PAmv0CNAgnxzngy6q6jcr0Eh Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAltsql4ACgkQAcXqBBDI oXparQf9G/ci2uDj3NPlHF6kEoToCkxB35qGIPvZvnpVdUIOHNGimwTFhe+3BGr7 Bf9sczDcXu4awVkz3x6w4RmVGhu//rII3tJwVYjrQoSQUxALDpXbnCNjY94fV84q tgtLbTbstJcMpRbsrKLjIgL64OhUjibIb8adPoohNFYiB7EnhIBYBFIUoGGWV+nU +g/D1zK+1wvHnKxq6PzS8zwv5coILVdI+fuTIDGv9UgESC9Vm4oPBT21ST9q4oSq Yv6YreaxtgVMT1VV1kifyIcabDQgkXSXErbDSlp1S6RAtRtWumgIFlfPlmYlToM3 QMNG6GB7Dqizbrka6AJi8OYVoAOgdw== =ICR5 -----END PGP SIGNATURE----- --zln6R5tn9PAmv0CNAgnxzngy6q6jcr0Eh--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?17acb9c4-f775-04be-4903-3d022a2fa1ac>